what “really” matters in yber?

Mike [email protected]/MSEE, CISSP & CISO SysEngr

ISSA / ISC2 / SOeC AFCEA / NDIA IEEE / INCOSE / et al

What REALLY matters in Cyber?RE: Internet of things, privacy security and beyond

Circa 2015

Not sure HOW it can affect you (as it HAS already)?

AND what is a thing is that MORE we have to do???

COMPLEXITY

easy button

Bottom line - As in ALL things it is mostly about the value proposition!

ISC2 with

IEEE Cyber

Whats Wrong With This Security?The issues / gaps therein are where the cyber opportunities are!!!

The gates were fully locked, properly configured and validated.

I could not get through them. But.... Thus Cyber can be an illusion

When a capability is invisible, like IA, safety, reliability, etc, what you see is not the whole picture!

[email protected]

Cutting through the CyberSecurity Fog!B.L.U.F. Bottom Line Up Front

The threats are very real, and the news shows a small percentage

It does not just happen to the other guy YOU WILL be / ARE affected.

Focus on business risk reduction and minimizing legal liabilities

Adequate cyber protections are but one part so is cyber insurance.

You can not buy cyber security, you must manage cyber many parts.The standard IA/Security suite is pretty good IF maintained well in operation.

The P6 principles still apply (being prepared) with strategic partnerships.

Few can afford to go it alone TEAM up & use a managed security service.

Dont fix cracks in the cyber walls, while the barn door is open!

Keeping your cyber suite well maintained cuts incidents by 95%

OK, so what does matter in Cyber?

Its NOT about expensive new cyber capabilities / toysbut more about the interoperability glue (distributed trust, resiliency, automation, profiles)

You can NOT buy cyber, so do the cyber BASICS well!!!An achievable 90-95% reduction in security incidents stabilize the environment!

CYBER is fundamentally all about TRUST and DATA( Identity, authentication, secure comms - -- provenance, quality, pedigree, assured)

90+% of security incidents are from lack of doing the basics! USE effective Security Continuous Monitoring (SCM / SIEM) a MUST DO!

With enforced: cyber hygiene, enterprise access control, & reduced complexity (APLs)

Shift from only protecting the network, to the DATA security itself information centric view

Embrace your Risk Management Plan (RMP) LIVE IT!Have an enforceable security policy what is allowed / not train to it

KNOW your baseline - Protect the business from the unknown risks as well

Employ a due diligence level of security then transfer residual risks!

So then, what MUST we DO?(MY TOP TEN - Well, to at least the first / second order effect 95% level!)

1 - KNOW your baseline from several views / aspects:

You can NOT buy cyber, so DO the cyber BASICS well!An achievable 90-95% reduction in security incidents stabilize the environment!

Follow the SANS top 20 and NSA top 10 mitigationsAND map your security mitigations into the NIST SMB Security guide (TR 7621)

- keep track of your HW / SW assets and their versions / status, as you can't manage what you

don't know. Document what your secure baseline is then monitor it.

- maintain the cyber suite (hygiene, settings, patches, etc automate where possible) and

enforce strict access control (implement least privilege, use two factor authentication on key

data / equipment (especially on sensitive data / critical cyber capabilities), two-person control on

key assets, limit PC to PC / peer to peer comms, minimize privileged accounts, etc)

- make it hard for hackers to get in and get around this is JOB ONE: effective firewall rules

(deny all with exception monitor traffic going in and out), segment the networks, tighten / lock

down the bowser (where around 80% of all malware comes in and using SSL it bypasses your

cyber suite too), and dont allow users / non-admin to install anything on any end user device!

2 - Encrypt, encrypt, encrypt (and have a really good key management program too, as that's the real key).

So then, what MUST we DO?

4 - Effective SCM / SIEM / monitoring capability

- Watch for unusual behavior and keep track of key cyber settings, DNS, etc.

- And user actions too (humans when monitored always behave better).


3 - Use approved IA / cyber products

- Only buy off the NIAP/NSA/DISA lists of Approved / Preferred items (APLs). - Minimizes your product complexity ...and... they come with C&A / A&A / V&V

security pedigrees too!

5 - IDS/IPS (signatures) AND anomaly detection capability - Watch for insider threats while monitoring both incoming AND outgoing traffic.

- Whitelisting works and is not hard to do put developers in an isolated sand box

6 - DLP /DRM /data tracking capability- Follow the data, complement SCM support a continuous audit (risk) approach

So then, what MUST we DO?

7 - User awareness and education / training- Make it personal, targeted (JIT) info to user types, even fun / make a game of it


All these capabilities exist, are sold by many vendors, and not hard to buy, use, and monitor

To build your own effective defense-in-depth / breadth cyber ecosphere see our plan too!

http://www.sciap.org/blog1/wp-content/uploads/executing-an-effective-security-plan.pdf

8 Add in a little "OSI" too (open systems intelligence)- Know who might be targeting you and the methods they would use against you

- Join your sector ISACs, etc to be aware of the threats.. common mitigations

9 Risk Management Plan is essential- RMP must integrate and support the business success factors / line managers!

- RM has many moving parts to account for so write them down (see following slide)

10 Get Cyber Insurance- Part of risk management transfer risks but know what IS (and is not) included

http://www.sciap.org/blog1/wp-content/uploads/executing-an-effective-security-plan.pdf

Security Main FactorsGiven ALL the NIST / NSA / DISA guidance (see back-ups) - What MUST WE DO?

Implement the NIST absolutely necessary elements first and foremost to protect your data (Encryption and back ups)

Effective passwords still the bane of basic security and policy is still poor!

(tokens / two-factor authentication should be used for critical data / processes)

Securing the client, fortifying the browser buying trusted business apps, services where the browser / client is THE largest malware entry point!

Minimal security suite: antivirus, firewall, IDS, VPN, ISP / wireless security

Monitoring tools need to manage CM/hygiene, track users / data, provide alerts (SCM/SIEM) supports preplanned SoPs / IRP / BCP / COOPs, etc

Enforce a living security policy quantify actual risks, strict need to know,

DATA protection - encryption, keys, and access control - minimize IP loss, DLP

A robust and adaptive security strategy = risk management plan (RMP) to keep pace with the fast-evolving nature of IT security, including cloud services / SLAs, etc

8

Our Cyber Security operator course collates all these guides and maps

The Integrated Business RM Approach + Making the Risk Management Plan (RMP) work! +

RMP

Company Vision(business success factors)

C&A / V&V(effective / automated)

Security Policy(mobile, social media, etc)

Education / Training(targeted, JIT, needs based)

Known Baseline(security architecture)

CMMI / Sustainment(SoPs / processes)

MSS / CISO(3rd party IV&V support)

Data Centric Security(DLP, reputation based methods)

Insider Threat

Company Intel(open source, FB, etc)

SCM / SIEM(monitor / track / mitigate)

Cyber insurance(broker & legal council)

Privacy by Design(manage PII, HIPAA, compliance) )

Common Business RMP model (re: RMF / COBIT & Risk IT)

AND using the NIST Cybersecurity Framework (re: CAR / ESA)

Complexity of Enterprise IT Systems is IncreasingAND so is the associated Cyber Security from sensor to cloud!

Follow the DATA where is it who has it how sure are you?

So - what is good

enough security?

Whats new in cyber, and what matters?

RFID, Apps, MEMS, WSN, sensors,

SCADA, PLC, ASIC, API, ETC, etc

Sensor + WiFi = device --- Things -> systems, machines, equipment, and devices all connected to each other

Is all this stuff secure?

How much is needed?

The Internet of things (IoT) is not really new

IoT requires ALL the cyber protections we already know - and still need to implement!

COMPLEXITY is everywhere!

Where sensors dominate Where / How does

privacy fit in IoT?

Gartner's 2013 Hype Cycle for Emerging Technologies

Everything connected to everything

? Comms Secure ?

Automation = machines in control

? M2M Secure ?

Pervasive new technologies

? Built secure ?

ALL the technologies need built in security = secure data, comms & privacy!

How do we prove end-2-end security?

What is an adequate / due

diligence level of security???

CYBER is all about SECURE: technologies, DATA and communications!

13

Cyberspace Characteristics

All of the warfighting - and related

business - domains intersect

Cyberspace Domain is contained

within and transcends the others

In relation to other mission areas run by

different Communities Of Interest (COI)

cyberspace is a blend of exclusive and inclusive ties

Frequently the COI boundaries / MOAs are implicit

These Venn connections / COIs are pervasive

Numerous, dynamic COIs dominate relationships - adding Complexity & Comms,

& Control overhead - causing cross domain / COI DATA sharing effects

IASecurity

C2

CIP / infrastructureBanking / retail

Manufacturing Communications

Do NOT underestimate this aspect affects CONTROLS needed for Privacy!

What are KEY cyber elements?(and what can we reasonably expect to influence / affect?)

14

Fundamental issues. (givens?)- Threats are illusive/morph so plan/mitigate around consequences (aka, a fault tree)- KISS, as complexity is our enemy do the basics well (hygiene, anonymity, etc) - In a connected world, its the shared vulnerabilities that will get you / ALL of us- They have an asymmetrical advantage, plan with it (and they dont follow the rules/laws) - WE ALL need common homogenous security protection in a heterogeneous world

Essential gaps / needs (tenets?)- Invest in the OSD / NSA R&D / S&T gap capabilities, as authoritative sources- Apply trade-offs / assessments using a common end-state (an open / ubiquitous world)- Using an enterprise risk management plan (RMP), and FOCUS on proactive SCM!- If you cant integrate it into your IT/network environment, then it is useless- Minimize what you dont know you dont know & get cyber insurance

If you dont know where youre headed, any blind alley will doWhere the bad actors continue to count on US ALL not being in sync

Cyber requires enterprise integrationThings are only the stuff we need to accommodate all IT/IA aspects!

Systems / capabilities are characterized by their boundaries

Where interfaces / controlling parameters / PPSM are key

IoE = IoT + people, process, policy and DATA

Things must communicateNo. of paths = n(n-1) = exponential Are ALL using secure channels ?Data protected? Adequate Authentication? No covert paths established?

10S of thousands of trillions

Of communication paths!

Securing low BW channels requires optimal cryptography algorithms

and adequate key management systems,

and security protocols that connect all these devices

Mobile devices and wireless always predicted, yet proliferates in 2014 Increasing Android Trojans, digital wallets, USER provided network services / access points!

Wireless security issues expand (besides 802.11 & WiMAX, to Zigbee, Z-Wave, ARM, etc.)

BYOD many hidden costs, legalities and risks than it appears at first

Cyber crime: easy money, minimal downside and growing (ransomware, etc) Illicit cyber revenues has essentially equaled all illegal drug trafficking dollars

The insider threat is much more impactful than given credit for Considering compromised services and computing devices of all kinds (aka, supply chain security).

With Improved social engineering attacks and stealth exfiltration techniques etc

17

Threat Vectors of Interest (examples)

Mobile devices and cloud infrastructure hacking are two of the

biggest attack vectors in crime / terrorism in 2014 and beyond

Verizon Data Breach Report (2012) MOST breaches avoidable! 96% attacks not difficult; - 85% took weeks to discover (average is 416 days); - 92% discovered by a third

party; 85 - 97% data breaches / security incidents avoidable through simple or intermediate controls

Forbes - The Biggest Cybersecurity Threats of 2013+ Social Engineering; APTs; Internal Threats; BYOD; HTML5; Botnets; & Targeted Malware

- AND Cloud security - pretty good, SLAs not enough, but ISPs / data centers better than most

Threat Vectors of Interest (Cont.) SSL/XML/web (HTML5)/browser vulnerabilities will proliferate

Browsers remain a major threat vector (80% - bypasses the IA suite) & watering holes

JAVA / VM / active code MUST be strictly managed / controlled / under CM

Convergence of data security and privacy regulation worldwide.. Compliance gets pervasive (PCI DSS, HIPAA, etc) ... Shift focus to privacy by design!

Data security goes to the cloud - where security due diligence is more than SLAs!

IPv6 transition will provide threat opportunities Data Loss Prevention (DLP) is still needed

Containment is the new prevention (folks now get the "resilience" aspect...)

18

MUCH to consider in the threat equation and its always changing

Hence why you must ALSO practice consequence risk management

Nation-sponsored hacking: When APT meets industrialization More targeted custom malware (Stuxnet -> Duqu / and FLAME! Are only the beginning)

Misanthropes and anti-socials / hacktivism morphs ANYONE can do it now!

Full time incident response needed: COOP, forensics, reporting, etc, etc Monitoring and analysis capability increase, but not enough (re: near real-time forensics

&chain of custody evidence). continuous monitoring is KEY (re: SCM / SIEM)

Verizon Data Breach Investigations Report - DBIR (2014)

19We have met the cyber enemy, and they are US(ers)

10 year series, 63,437 incidents, 1367 breaches, 95 countries

WHAT - 92% incidents described by just nine patterns- shift from geopolitical attacks to large-scale attacks on payment card system

Sectors - Public (47, 479), Information (1132) and Finance (856)

Threats (%) - POS intrusions - 31

- Web App Attacks - 21

- Cyber espionage - 15

- Card Skimmers - 14

- Insider misuse - 8

- Crimeware - 4

HYGIENE Factors

See also - Ponemon Institutes cyber report

Key threats from cost based activities

Malware, malicious insiders and web-based attacks

Forbes lists these: Social Engineering; APTs;

Internal Threats; BYOD; HTML5; Botnets; &

Targeted Malware

A huge sample size! This includes YOUR business category too !!!

Mitigations - restrict remote access

- enforce password policies

- Minimize non POS activity on those terminals

- Deploy A/V (everywhere, POS too)

- evaluate threats to prioritize treatments

- Look for suspicious network activity

- Use two-factor authentication

Yes, It really is ALL about the DATA*

2020 Data Vision (Courtesy of Dan Green / SPAWAR ):

Themes and Memes (Technology vs Technology Adoption)

Convergence = Genomics, Robotics, Informatics, Nanotech (each a $B+ market)

Meme: an idea, behavior, or style that spreads from person to person within a culture

Its a data-centric world; thus we need Privacy by Design (PbD)

CBAD = Cloud, Big Data, Analytics, Data Science (are you all-in?)

Telematics = Sensing robotics, Cyber Physical Systems (will kids need to learn to drive?)

Interactive 3D = Augmented Reality, HTML 5, Three.js (3D graphics for WebGL)

Embedded Computing = eHPC, Tessel (mCPU / Java), Programmable hardware

LBS = Location Based Services, IPS, Beaconing, NFC

IoT = Internet of Things, M2M, Quantified Self

Mobilization = Preparation for Conflict/Competition, Autonomy, The Draft

STEM = Science Technology Engineering Math , Generation NOW, Old Dogs (YOU)

* and TRUST!

A cyber end-state stresses encapsulation using secure communications

Whats a simple IA/Cyber

vision / end-state look like?

AND what are the requirements?

AND DATA - assured / pedigree / provenance? Privacy satisfied?

Cyber is ALL

about TRUST, Rules/MOAs & State

things

comms

IoT = things + comms

KEY C-I-A entities / touch points

the cloud

(e.g., object oriented programming)

22

NSPD-54/HSPD-23: CNCI-1 12 Initiatives(http://www.whitehouse.gov/cybersecurity/comprehensive-national-cybersecurity-initiative )

Establish a front line of defense

Resolve to secure cyberspace / set conditions for long-term success

Shape future environment / secure U.S. advantage / address new threats

Focus A

rea 2

Focus A

rea 1

Fo

cus A

rea 3

Trusted Internet

Connections

Deploy Passive

Sensors Across

Federal Systems

Pursue Deployment of

Intrusion Prevention

Systems

Coordinate and

Redirect R&D

Efforts

Connect Current

Centers to Enhance

Situational Awareness

Develop Govt-wide

Counterintelligence

Plan for Cyberspace

Increase Security of

the Classified

Networks

Expand

Education

Define and Develop

Enduring Lead Ahead

Technologies,

Strategies & Programs

Define and Develop

Enduring Deterrence

Strategies & Programs

Manage Global

Supply Chain Risk

Define Federal Role for

Cybersecurity in Critical

Infrastructure Domains

Cyber efforts must synchronize with Federal Investments

The HARD part is implementing enterprise integration, interoperability

and controlling emergent behavior - that can affect most focus areas

DoD Cyber Priority Steering Council (PSC)

S&T / R&D Roadmap

What matters? Key Capability Gaps / Areas 4+1C

yb

er M

&S

an

d E

xp

erim

en

tatio

n(C

ros

s C

utte

r)

Autonomous responses and C3 Tools

Environment is robust and self-healing

Mixed trust levels in heterogeneous space

Support essential business success functions

Cyber PSC PA-Releasable Briefing

November 2012 Page-23 Gaps are not things / capabilities but integration and interoperability!

KEY Enabling Technology Areas

Response and Cyber Maneuver

Visualization and Decision Support

Human Factors and Training

Malware/Forensics Analysis

and Reverse Engineering

Resilient Infrastructure and Comms

Scientific Theory and Measures

Sensing and Data Fusion

Software Pedigree and Provenance

Distributed Trust

Resilient Architectures

Component Trust

Detection and Autonomic Response

Advanced Cross-Domain Solutions

Advanced Cryptography

Quantum Computing, Comms, and

Crypto

Biometrics

Code Verification and Compliance

Correct (Assured) by Construction

Software

Deception and Information Hiding

Recovery and Reconstitution

24

CYBER is fundamentally about

distributed trust / assured DATA / secure messaging!

high

med

low

Value / need

Additional specificity / details and needs / gaps in back-up

25

Strategic Cyber Elements

(1) Collaborate on common enterprise IA / cyber strategy and visionpolicy mapped to prioritized capabilities with assigned resources = good enough / cyber sufficiency!

(2) Develop a common overall enterprise risk assessment (ERA) approachaccounts for both significant threat vectors AND vulnerability consequences -> key mitigations

use the NIST RMF (Risk Management Framework (800-37)) weighted in the CNCI-2 12 focus areas

(3) Align and synchronize resources and cyber gaps / initiativesacross federal & commercial organizations and tier 1 tier 3 architecture perspectives (IT & cyber are ONE)

(4) Address pervasive lack of basic cyber hygiene enterprise widewithin the complete, life-cycle aspects of an organizations people, processes and products (technology) enforce a scalable, global access control model, that preserves least privilege, attenuated delegation (ZBAC)

(5) Reduce complexity - Build a trusted cyber infrastructureuse APLs along within the existing IA/CND infrastructure, as an integrated SoS - with enforced CMthus optimize our overall cyber package and ensure synchronization and RESILIENCY!

(6) Better integrate / leverage education and proactive defense (and IO)stealth offense best left to law enforcement, qualified federal entities (or escalation / retaliation will occur)

Top down approach to a balanced,

prioritized cyber execution plan

26

SO just what are were trying to orchestrate?

IA

&

CND

An integrated Cyber Defense in Depth / Breadth (DiD) EcoSphereusing dynamic lag and lead feedback, establish proactive, dynamic CND / IA Defense)

Red Teams

Defensive

assessments

forensicfeedback

(lagging

indicators)

Upgrades(developed

& installed)

SA

******

(Sensors,

CNA/E inputs

OpSec,

Intel, etc)

Users

& CoC

predictivefeedback

(leading

indicators)

Cyber I&WVirtual

Storefront

(takes days to months )

NMS / Security

Management tools

Change

soft

settings(takes secs to

mins)

threats

V&V / C&A

CERT / FBI

Incident results

I&W / SCM

insider

threats

IDS / IPS

DLP / etc

se

nso

rs

(near real-time!)

All PbD capabilities (including IoT) must be well integrated into the cyber system

With big data / predictive analytics /

SIEM

27

WAN Router

Make IA / CND / Security a commodity:

Use & enforce IA building blocks = APLs/PPLs -> NIAP

Interoperability and Compose-ability are built in upfront

and help dramatically reduce complexity and ambiguity

Thus.establishing known risks & pedigrees:

Reduces attack surface, risks & TOC = baseline for PbD & IoT!

Building a Trusted Cyber Infrastructure= an adequately assured, affordable, net-centric environment

(built from disparate heterogeneous capabilities that we must integrate into a homogenous cyber ecosphere!)

IA Suite

Distribution Router

Core Router

PCEnd user devices

Servers

SANS NetworkDevices

Assured IOS

Various EALEAL 4- 5

EAL 4

Focus on a few

core capabilities & devices

= PC, routers, IA suite, Servers, &

SANS all with access control

EAL 3 - 4

Secure OS

TSM

HBSS

ZBAC

Standard IA/CND suite

FW, A/V, IDS/IPS, CDS, VPN,

Crypto, Key Mgmt, Security Policy

HW / FW

Secure OS kernel

Secure Virtual Machine

Strict access / ZBAC

ALL OSes (MS, Mac, Unix)

Se

cu

rity

Mo

nito

r

EA

L 6

EAL 5 6

Data centric security

Defensive I&W

Strict access / ZBAC

Eval Assur Level (EAL):32 5 6 74

All connections / communication paths need

Assured Identity, Authentication & Authorization

RFID, MEMS,

WSN, sensors,

ICS / SCADA, etc

28

IA / Cyber and DATA must be built E2E!

Thus, the DATA, IA/cyber controls, interfaces and profiles in

each element / boundary must be quantified / agreed to upfront!

EnterpriseSiteEnclaveNetwork

SoS

Apps /

services

HW/SW/FM

CCE

Each sub-aggregation is responsible for the data / controls within their boundaries

and also inherit the controls of their environment, were we need to formalize the

reciprocity therein!

WE have a natural hierarchy in our enterprise IT/network environment,

where complexities arise in the numerous interfaces and many to many

communications paths typically involved in end-to-end (E2E) transactions

DATA

AND, People and

processes TOO!

How does the DATA move and what are the

privacy protections / controls at each layer?

Notional Data Centric Architecture (DCA)iso the required privacy needs

DATA Storage Services Apps Host /

devicetransport

IA / Security / cyber (e.g., defense in depth (DiD))

IA controls / inheritance

Business logic

MiddlewareBehavior monitoring

Supports quality / assured data (with a pedigree / provenance)

Data is either at rest, being

processed OR in transit

Must account for the four Vs

Volume, Variety, Velocity and Veracity

FW / IDS / IPSSCM - Continuous monitoring

A PbD Cyber Model translates the data 4Vs into privacy attributes and controls

What IA/security capabilities

are needed for the DATA itself?

Cyber must be preserved in the full

data AND capabilities life-cycle

OMG / DDS

How does the DATA move about?

Must accommodate

BOTH in-house and

cloud

Reputation-based Security

DCA major elementsData-centric architecture (DCA) decouples designs and simplifies communication while

increasing capability and easing system evolution DCA can link systems of systems into

a coherent whole, using an open standard OMG DDS Transports, operating systems,

and other location details do not need to be known, and allowing adaptation to performance,

scalability, and fault-tolerance requirements

Define and modularize DCA components = create specifications (capabilities and profiles)

DCPS, DDSI, DataReader, DataWriter, Pub / Sub. Java, mobile code, widgets,

storage SW, middleware, services, ESB, etc these all also have cyber security

aspects built in

Use OMG / DSS as a reference AND - the data schema / tagging authoritative sources

SECURE DCA services = Data Centric Security (DCS)

http://i.opensystemsmedia.com/?bg=ffffff&q=90&w=871&f=jpg&src=http://attachments.opensystemsmedia.com/MES4284/tables/1http://i.opensystemsmedia.com/?bg=ffffff&q=90&w=871&f=jpg&src=http://attachments.opensystemsmedia.com/MES4284/tables/1

DCA / DCS Overall Construct(need to V&V that security is built in / adequate in services)

Web ServicesEvent

processingDatabase

ESBWorkflow

engine

Legacy

Bridge

***

***

DATA bus (DDS middleware infrastructure) & DCS services)

+ Standard IA / CND / security suite = IA devices = Firewall, A/V, IDS/IPS, Crypto / Key Management, & VPN

+ Network infrastructure = CCE = common core computing / network environment - with IA enabled devices

Other services / capabilities

Data to user authentication

Signed / secure applications

protected communications

Authoritative / assured DBs

Virtual private data-stores (e.g., VPNs)

Cryptographic boundaries for isolation

Target Java and .NET for enterprise stacks

A PbD cyber model must map the data methods, controls, & services into privacy aspects.

Data centric services and cloud evolutionownership and security

32

On-premises

Pre-cloud

You m

anage

Yo

u m

anage

Application

Data

Middleware

OS

Virtualization

CPU/Storage

Networking

Application

Data

Middleware

OS

Virtualization

CPU/Storage

Networking

Ve

nd

or

ma

na

ge

d

You m

anage

Application

Data

Middleware

OS

Virtualization

CPU/Storage

Networking

Vendor

managed

Application

Data

Middleware

OS

Virtualization

CPU/Storage

Networking

Vendor

manage

d

Infrastructure

as a service

Cloud v1

Platform

as a Service

Cloud v2

Software

as a service

PaaS objective for combined / hybrid environments (with premise and cloud)

Securing the data & application layers can inoculate them from lower layer risks

Kerberos

PKI

Token

Digital CertificateThin Clients

Biometrics

HIPPA

VPN IPSEC

SSL

Hardening

Cloud

XML Gateways

Secure Collaboration

Compliance

Secure Blades

H/W Crypto

SOX

DAC

RSBAC

FIPS 140-2

Trusted OS Guards

Cyber Security

SaaS

Wireless

Cyber Security is Complex from a Technical PerspectiveWhat factors must be addressed in PbD?

Which ones are inherent in the IA/CND/Cyber suite?

(From an IBM security brief)

+++ Cyber Model for PbD +++

Standard IA / CND suite = IA devices = Firewall, A/V, IDS/IPS, Crypto / Key Management, & VPN

Typical Network infrastructure = CCE = common core computing environment(with IA enabled devices properly set-up - operating systems , database management systems, network management systems and web browsers)

Monitoring, tracking, assessment = SCM / SIEM, DLP / RBS, R-T C&A/V&V, etc

Data Centric Security (DCS) enabling PbD

+ Data Encryption end2end focused on services / applications (PaaS model)

+ Multi-factor authentication - add time, location, etc (re: RAdAC end-state)

+ Security Policy management Automated, serve multiple avatar levels in PbD

+ Application engineering - Common model for services, apps, phones, APIs, etc

+ are added on top of the IA/CND/Security cyber suite

Use existing products in each + capability we have several favorites;-))

(AND an integrated AI/smart correlation / POA&M tool mapped to NIST cybersecurity framework functions / tiers)

http://www.sciap.org/blog1/wp-content/uploads/Privacy-PAYS-4-cyber.pdf

http://www.sciap.org/blog1/wp-content/uploads/Privacy-PAYS-4-cyber.pdf

35

Key Tactical Thrusts to DO Now

COMMON national cyber security approach / end-state

Consequence based enterprise risk assessment (dont chase threats)

Dynamic Cyber Enterprise Management (enforced hygiene)KEY capability security continuous monitoring (SCM) (cant manage what you cant measure)

Top-down enforcement of IA / Cyber architecture Secure enterprise access control / ENFORCE least privilege (re: ZBAC) / Cyber IFF

Common enterprise trust model (and implement TPMs, etc)

Reduce complexity - use APLs / VPLs / IA Building blocks with pedigrees

USE SCM to manage your IA/cyber suite quasi real-time with SME help!

Effective lifecycle education and training Targeted training user awareness and IA/cyber SMEs (who manage it all)

High impact activities get us all moving quickly

95%security

incident

reduction

YES!

95+%

YES!

95+%

36

What is Cyber Hygiene ?(and the HUGE percentage of security incidents caused by lack of it)

National Security Agency (NSA) (80-85%)

NSA IAD director Just improving the IA Management aspects of security (aka,

hygiene factors) will reduce security incidents by over 80%

IA Management = CM, monitoring environment , follow SOPshttp://www.nsa.gov/ia/_files/vtechrep/ManageableNetworkPlan.pdf

http://www.sans.org/critical-security-controls/guidelines.php

Verizon (2012 Data Breach Investigations Report) (up to 97%)

Report covered 855 incidents, 174 million compromised records

--- Breaches almost entirely avoidable through simple or intermediate controls

Threats: 98% from external agents, 81% from hacking 69 % used malwarehttp://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf

Navy (our red team / NCDOC) (over 90%)

Poor accountability factors = willful misuse, lack of CM (& IAVA / patches) , not

having / following procedures, weak enforcement of policy, etc

They must spend all their time / resources fixing the easy vulnerabilities

HYGIENE = Maintaining / monitoring your IA / Security / cyber equipment settings

As any incorrectly set cyber capabilities makes them much less effective!

http://www.nsa.gov/ia/_files/vtechrep/ManageableNetworkPlan.pdfhttp://www.sans.org/critical-security-controls/guidelines.phphttp://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf

Cyber Hygiene the many faces of neglectOur IA/CND/Security cyber suite is quite good IF maintained!

Equipment settings

(FW, A/V, IDS, etc)

Monitor / enforce

Standard operating

procedures (SOPs)

USE / enforce them

Social media

Content & settings

Restrict sharing / privileges

Security Awareness

ALL levels reinforce

Incentivize good vs bad

Privacy and PII

Enforce policy (note - EU is stricter)

Incident reporting

No incident too small

Notify USCERT / FBI

You cannot buy cyber security

(assuming you have an adequate IA/CND//Security/Cyber suite)

YOU must manage Cyber actually DO and verify it!

Controlled Access

Enforce least privilege

Separate / rotate duties

Know your security baseline

AND employ SCM / SIEM

Maintain Cyber Suite

Patches, upgrades, etc

(compliance == securityWill lack of cyber hygiene

continue to put you at

MUCH greater risk?

Security Continuous monitoring (SCM)

38

- What is SCM anyway?SCM is ongoing observance with intent to provide warning. A SCM capability is the ongoing

observance and analysis of the operational states of systems to provide decision support regarding

situational awareness and deviations from expectations

SCM is a risk management approach to Cybersecurity that maintains a picture of an

organizations security posture, provides visibility into assets, leverages use of automated data feeds,

monitors effectiveness of security controls, and enables prioritization of remedies.http://scap.nist.gov/events/2011/cm_workshop/presentations/pdf/DULANY%20-%20CM%20Brief16%20Mar.pdf

An Enterprise SCM technical reference model (based on Continuous Asset Evaluation, Situational Awareness and Risk Scoring Reference Architecture Report)

http://csrc.nist.gov/publications/drafts/nistir-7756/Draft-NISTIR-7756_second-public-draft.pdf

- What good is it? MANY ROI benefits: Real-time awareness of security posture, cyber benchmarking,

complements audit / compliance efforts, improves cyber performance, and reduces risk expose simples

risk management overall.. Third party IV&V monitors of hygiene AND potential new threats!http://raw.rutgers.edu/docs/wcars/23wcars/presentations/Mike%20Cangemi-The_Benefits_of_Continuous_Monitoring_edited_final_8-11[1].pdf

- WHO does this now, where do I go for help? DISA and DHS have efforts in play already (DHS is funding continuous monitoring as a service (CMaaS)).

State department DID early SCM several years ago, reduced C&A costs over 90%http://www.disa.mil/scm http://www.gao.gov/new.items/d11149.pdf

http://www.nextgov.com/cybersecurity/2013/01/dhs-pick-6-billion-tab-cyber-surveillance-systems-every-department/60445/

- SCM is mandated for government entities (FISMA / DOD CIO / DHS / others)

SCM is a cyber / risk management tool and provides added due diligence

stopping short of get out of jail free keeps you from being the low hanging fruit!

http://scap.nist.gov/events/2011/cm_workshop/presentations/pdf/DULANY - CM Brief16 Mar.pdfhttp://csrc.nist.gov/publications/drafts/nistir-7756/Draft-NISTIR-7756_second-public-draft.pdfhttp://raw.rutgers.edu/docs/wcars/23wcars/presentations/Mike Cangemi-The_Benefits_of_Continuous_Monitoring_edited_final_8-11[1].pdfhttp://www.disa.mil/scmhttp://www.gao.gov/new.items/d11149.pdfhttp://www.nextgov.com/cybersecurity/2013/01/dhs-pick-6-billion-tab-cyber-surveillance-systems-every-department/60445/

39

Mobile Security perspective

http://www.checkpoint.com/downloads/products/check-point-mobile-security-survey-report.pdf

Key Issue / Risk Findings:

Extensive use of mobile devices connecting to corporate networks--89% have mobile devices such as smartphones or tablets connecting to corporate networks

--Apple iOS is the most common mobile platform used to connect in corporate environments

Personal mobile devices that connect to corporate networks are extensive and growing--65% allow personal devices to connect to corporate networks

--78% have more than twice as many personal devices on corporate networks vs 2 years ago

Security risks are on the rise because of mobile devices--71% say mobile devices have contributed to increased security incidents

--The Android mobile platform is considered to introduce the greatest security risks

Employee behavior impacts security of mobile data--47% report customer data is stored on mobile devices

--Lack of employee awareness about security policies ranked as greatest impact on data security

--72% say careless employees are a greater security threat than hackers

. Contrast that 75%+ of users with personal devices with the percentage of employers who have a coordinated and comprehensive mobile security strategy in place (10%), and you see the problem

*** NSA/CSS Mobility Capability Package = Architecture / Certification - a MUST DO *** http://www.nsa.gov/ia/_files/Mobility_Capability_Pkg_Vers_2_3.pdf

Check Points global survey of 768 IT professionals conducted in the United States, Canada, United

Kingdom, Germany, and Japan. The survey gathered data about current mobile computing trends

Mobile / wireless are HUGE threat entry points!

--- BYOD is NOT cheap ---

http://www.nsa.gov/ia/_files/Mobility_Capability_Pkg_Vers_2_0.pdf

40

GAO report on mobile vulnerabilities KEY risks / concerns:

Mobile devices often do not have passwords enabled.

Two-factor authentication is not always used when conducting sensitive transactions.

Wireless transmissions are not always encrypted.

Mobile devices may contain malware.

Mobile devices often do not use security software.

Operating systems may be out-of-date.

Software / patches on mobile devices may be out-of-date.

Mobile devices often do not limit Internet connections. Many mobile devices do not have

firewalls to limit connections.

Mobile devices may have unauthorized modifications. (known as "jailbreaking" or "rooting")

Communication channels / Bluetooth may be poorly secured.

Major protection methods:

Enable user authentication: Enable two-factor authentication for sensitive

transactions: Verify the authenticity of downloaded applications: Install

antimalware and a firewall: Install security updates: Remotely disable lost or

stolen devices: Enable encryption for data on any device or memory card: Enable

whitelisting (on phones too!) : Establish a mobile device security policy: Provide

mobile device security training: Establish a deployment plan: Perform risk

assessments: Manage hygiene = configuration control and management:

http://www.networkworld.com/news/2012/091912-mobile-security-262581.html

--- BYOD is NOT cheap ---

Cloud Security Factoids

Areas that will mature soon, enhancing enterprise risk management (re: Gartner): Consensus on what constitutes the most significant risks,

Cloud services certification standards,

Virtual machine governance and control (orchestration),

Enterprise control over logging and investigation,

Content-based control within SaaS and PaaS, and

Cloud security gateways, security "add-ons" based in proxy services

We recommend following both the NIST and CSA cloud guidance:https://downloads.cloudsecurityalliance.org/initiatives/guidance/csaguide.v3.0.pdf

http://csrc.nist.gov/publications/PubsSPs.html

AND an overall, enterprise, e2e, risk management approach (e.g., RMF & FedRAMP)

The cloud security challenges are principally based on:a. Trusting vendor's security model

b. Customer inability to respond to audit findings

c. Obtaining support for investigations

d. Indirect administrator accountability

e. Proprietary implementations can't be examined

f. Loss of physical control

Cloud Security Alliance (CSA) nine critical threats:1. Data Breaches 2. Data Loss

3. Account Hijacking 4. Insecure APIs

5. Denial of Service 6. Malicious Insiders

7. Abuse of Cloud Services 8. Insufficient Due Diligence

9. Shared Technology Issues

Shift from only protecting the

network, to the DATA itself!

(e.g., data centric security)

https://downloads.cloudsecurityalliance.org/initiatives/guidance/csaguide.v3.0.pdfhttp://csrc.nist.gov/publications/PubsSPs.html

Cloud Security SummarySecurity in the cloud is likely better than you have in-house

* Security is the SAME everywhere WHO does which IA controls changes

For more details see paper: Cloud Security What really matters? At http://www.sciap.org/blog1/ (under Cyber Body of Knowledge )

* Dont sell cloud offer security capabilities instead end2end services

* Few are all in the cloud @ 100% - Hence TWO environments to manage

* ALL must use the same cloud security standards (and QA in SLA)http://www.sciap.org/blog1/wp-content/uploads/Cloud-Security-Standards-SEP-20131.xlsx

* Implement SCM / SIEM integrate cloud metrics / status (& QA the SLAs)

* Service Level Agreements (SLA) not sufficient trust but verify (Orchestration SW ?)

* Encrypt everywhere - Yes more key management, but risks greatly reduced

* Data owners always accountable for PII / privacy / compliance (& location)

* Update Risk management Plan (RMP) = Comms, COOP. with cloud R&Rhttp://media.amazonwebservices.com/AWS_Risk_and_Compliance_Whitepaper.pdf

http://www.sciap.org/blog1/http://www.sciap.org/blog1/wp-content/uploads/Cloud-Security-Standards-SEP-20131.xlsxhttp://media.amazonwebservices.com/AWS_Risk_and_Compliance_Whitepaper.pdf

43

Integration, execution is everythingas if you cant implement well, it costs you everywhere!!!

The quantitative benefits of systems integration and interoperability (I&I) are:

1. Shorter/reduced steps in business processes

2. Time taken to process one application/record

3. Less complaints from members of the public

4. No. of applications/records processed over a period

5. Less complaints from end- users

6. Reduced number of errors

7. Reduced software development time/effort

8. Reduced maintenance

9. Reduced no. of IT personnel

The qualitative benefits of I&I are:

1. Improved working procedures

2. Better communication with other related organizations

3. Job satisfaction

4. Redefine job specification

5. Improved data accessibility

6. One-stop service

7. More friendly public service

The best capability means little, if it stays in the box

Until the user is happy using

& benefitting from the new

capability, it has no value

Buying stuff is easy

getting it to work in your

environment is hard

Plan for I&I -

then double it

SO what MUST WE ALL DO???NISTs absolutely necessary Security Protections

NIST - National Institute of Standards and Technology - NISTR 7621

Protect information/systems/networks from damage by viruses, spyware, and other malicious code. (IA suite, A/V, encryption, etc)

Provide security for your Internet connection / ISP Install and activate software firewalls on all your business systems Patch your operating systems & applications (and now things too!) Make backup copies of important business data/information Control physical access to your computers and network components Secure your wireless access point and networks Train your employees in basic security principles Require individual user accounts for each employee on business

computers and for business applications Limit employee access to data and information, and limit authority

to install software

44

MUST DO tasks consider this your due diligence list

Where ALL have CM / hygiene aspects

http://csrc.nist.gov/publications/drafts/nistir7621-r1/nistir_7621_r1_draft.pdf

http://csrc.nist.gov/publications/drafts/nistir7621-r1/nistir_7621_r1_draft.pdf

Cyber Security Best Practices Overview(Best practices are not a panacea just a guide = to DO the basics)

Quantify your business protection needs do you have an asset inventory? Determine what is good enough or minimally acceptable for your business Quantify your environments threats and vulnerabilities Have a security policy thats useful, complete, CEO/leadership endorsed Run self-assessments on security measures (use accepted tests, STIGs,

PenTests, etc) and compliance (HIPAA, PCI, CFR, SOX, etc) Training and awareness programs much needed, but not a guarantee

45

As, you can somewhat control what you plan,

but you usually ONLY get what you enforce!

TEST your BCP, COOP, recovery plans, backup have you ever restored? Encrypt where you can - asses where / how you need it : IM, e-mail, file

transfer, storage, backup, etc) Be familiar with / USE the NIST IA/Security series they are very good! DO / check / enforce the cyber basics (re: hygiene, access control, simplify & SCM) Reduce complexity use only approved / preferred products lists (A/PPLs) A risk management plan (RMP) - using both threats AND consequences

46

What can you DO right now?Ready for immediate implementation = 95+% incident reduction

1- Install tools/scripts to catch USERS mistakes.. lock down the end devices, (only allow root admin to install anything..) Use effective access control (enforce least privilege!)

2 Manage the browser as THE threat vector... (80% of malware comes through here)Have ONE secure browser version (IE9), use the guest account (force downloads to one folder), andmanage a specific settings profile (to manage active code / Java, etc)Implement a deny all access approach, allow URLs using only a controlled white list (no this is NOT hard to do!)

Cyber continues to be about US ALL doing the basics

3 - Run tools / application firewalls to minimize zero-day problems, and enforce CM/hygiene, along with "defensive I&W" monitoring tools (re: SCM / SIEM - #5)

4 KISS / reduce IA complexity only buy cyber products off APLs/PPLs (they have pedigrees / C&A already!) And USE their security features like TPM!!

5 USE a security continuous monitor (SCM) firm for real-time scans for both current vulnerabilities (SQL injection, et al) and new threats... (where the firm has feeds/data from US CERT, etc, so they are always current on new threats / zero day problems)

6 If you make IT stuff, build IA/security in, there are lots of simple guideshttp://www.sans.org/critical-security-controls/guidelines.phphttp://www.sans.org/top25-software-errors/Were STILL lax.. Goggle DarkReading Real-World Developers Still Not Coding Securely

Overall Way Forward(given all the unknowns, variables this is one approximately correct path;-))

Company Vision embedded in Cyber Plans/RMP know where you are going, where the passion is /what the USER values

Hope is Not a Strategy -re: 2012 Annual DDoS Attack and Impact Survey!

47SO Quit admiring the cyber problem / threat and start DOING something!

Risk Management Plan RMP Use NISTs RMF (or COBIT)! Have a dynamic, realistic RMP supporting your

business success metrics as you ARE betting your livelihood on cyber!

Effective, enforced Policy Embedded in core business success factors, rules to enforce statutory, legal

mandates, key processes, to enforce behavior (pos & neg incentives)

The Basics, basics, basics New toys matter little, if your environment(s) are not managed (SCM / SIEM!)

Poor hygiene / CM causes almost ALL security incidents ( 80 - 97% )

Cyber Security opportunities(Cyber can both protect your business AND enhance the bottom line!)

IT / Cyber Global factors user pull

World-wide B2BTrust / cloud / sharing

IoT / M2M Automation / Sensors

Consumerization of ITPhones / wireless / apps

Privacy / DataIP / PII / compliance

GAPS / Needs(from the Federal cyber priority council S&T gaps)

TRUSTDistributed / MLS

ResiliencySW / apps / APIs / services

Agile operations BE the vanguard / integration

Effective missionsBusiness success factors

Vulnerabilities / Threats(Verizon BDR, Forbes, etc threat reports - what ails us most)

CM / Hygienepatching / settings

Access controlAuthentication is key

Top security mitigations Whitelist, patch, limit access, etc

Risk MgmtAdhoc / not global

Future Opportunities

SIEM / SCMQA hygiene / sensors

ESA / simple tools!

Mobile SecurityPoor apps / IOS weak

billions users = volume

Mitigate ObsolescenceMinimize patching, legacy vulnerabilities

OA / modularity / APIs & SCRM

Data SecurityPredictive analytics

Privacy by design

Effective Business Risk Management (BRM) = cybersecurity framework (CMMI / FAR)Focus on reducing business risk Managed security services (MSS) & cyber insurance

49

SUMMARY

SO. What really matters in Cyber?

DO the cyber BASICS well, for things, people AND processesinvest in select new capabilities, protect privacy and follow your RMP!!!

Take ACTION NOW: (1) security assessment, (2) SCM/SIEM, & (3) Cyber insurance!

OSD / federal S&T activities Distributed Trust

Resilient Architectures

Response and Cyber Maneuver

Visualization and Decision Support

Dynamic policy management (RaDaC )

Detection and Autonomic Response

Recovery and Reconstitution

NSA / agency S&T activities Mobility, wireless, & secure mobile services

Platform integrity / compliance assurance

End client security

Cyber indications and warning (I&W)

Mitigation engineering (affordability)

Massive data (date centric security)

Advanced technology. (targeted)

Virtualization secure capabilities

Doing the BASICS:

(1) enforced cyber hygiene,

(2) effective access control,

(3) reduced complexity in IA /

cyber (APLs / NIAP / approved products), (4) IA / Cyber SCM / CDM / SIEM(ongoing diagnostics AND mitigations = CDM)

Its all about TRUST and DATA

*** ***

[email protected]

Its NOT all about expensive new

cyber capabilities

but more about the SoS / I&I glue

51

Cyber security URLs / links of interest..

Major cyber / IA sites

https://infosec.navy.mil

http://www.doncio.navy.mil/TagResults.aspx?ID=28

http://iase.disa.mil/Pages/index.aspx

http://csrc.nist.gov/publications/PubsSPs.html

http://www.nsa.gov/ia/index.shtml

https://cve.mitre.org/

http://www.cisecurity.org/

http://www.cert.org/

http://www.commoncriteriaportal.org/

https://www.thecsiac.com/resources/all

http://www.dhs.gov/topic/cybersecurity

http://iase.disa.mil/stigs/Pages/index.aspx

http://niccs.us-cert.gov/

https://www.sans.org/programs/

http://www.cerias.purdue.edu/

https://www.cccure.org/

http://www.rmf.org/

http://nvd.nist.gov/

Others of interest

https://www.cool.navy.mil

http://www.threatstop.com/

http://www.darkreading.com/

http://www-03.ibm.com/security/xforce/

http://www.iso27001security.com/

http://iac.dtic.mil/csiac/ia_policychart.html

http://www.nascio.org/

some training sites:http://doc.opensuse.org/products/draft/SLES/SLES-security_sd_draft/cha.aide.html

http://iase.disa.mil/eta/online-catalog.html#fsotools

http://iase.disa.mil/eta/cyberchallenge/launchPage.htm

http://iase.disa.mil/eta/iawip/content_pages/iabaseline.html

http://www.microsoft.com/security/sdl/default.aspx

52

IA/Security Axiomsto consider / accommodate / educate

Security and complexity are often inversely proportional.

Security and usability are often inversely proportional.

Good security now is better than perfect security never.

A false sense of security is worse than a true sense of insecurity.

Your security is only as strong as your weakest link.

It is best to concentrate on known, probable threats, first

Security is an investment (insurance), not an expense with an RoI

Security is directly related to the education and ethics of your users.

Security is a people problem users stimulate problems, at all levels.

Security through obscurity is weak & We can NOT always add security later

http://www.avolio.com/papers/axioms.html

Work through all these in

your Risk Management Plan!

Who says what we MUST DO?

From a business DUE CARE / due diligence level Collectively: NIST NSA SANS etc - the following slides provide details

http://www.avolio.com/papers/axioms.html

NISTs Highly Recommended Practiceshttp://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf

Policy / practice for email attachments and requests for sensitive information

Policy / practice for web links in email, instant messages, social media, or other means

Policy / practice for popup windows and other hacker tricks Doing online business and secure banking Recommended personnel practices in hiring employees Security considerations for web surfing, prohibited sites Policy / practice for downloading software from the Internet How to get help with information security when you need it How to dispose of old computers, media and fax machines How to protect against Social Engineering, data loss prevention

53

WHAT, more to do? YES, but most are related to standard IA/CND mitigations...

NSA IAD top ten controls

54

1 - Application whitelisting - only run approved apps (that SysAdmin reviews)

2 - Control Administrative privileges - minimize escalation, enforce least privilege

3 Limit workstation-to-workstation communications thwart the pass-the-hash

4 Use Anti-virus File Reputation Services leverage cloud-based threat databases

5 Enable Anti-Exploitation Features - for example, MS Windows EMET

6 Implement Host Intrusion Prevention System Rules focus on threat behaviors

7 Set a Secure Baseline Configuration layered security, standard images, etc

8 Use Web Domain Name Service (DNS) Reputation Screen URLs, intrusion

alerts

9 Use/Leverage Software improvements software / OS upgrade and patch policy

10 Segregate Networks and functions based on role, functionality monitor

sections, then isolate when attacked

http://www.sans.org/security-resources/IAD_top_10_info_assurance_mitigations.pdf

https://www.google.com/url?q=http://www.sans.org/security-resources/IAD_top_10_info_assurance_mitigations.pdf

SANS top 20 controls (ver 3)

55

1: Inventory of Authorized and Unauthorized Devices

2: Inventory of Authorized and Unauthorized Software

3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers

4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

5: Boundary Defense

6: Maintenance, Monitoring, and Analysis of Security Audit Logs

7: Application Software Security

8: Controlled Use of Administrative Privileges

9: Controlled Access Based on the Need to Know

10: Continuous Vulnerability Assessment and Remediation

11: Account Monitoring and Control

12: Malware Defenses

13: Limitation and Control of Network Ports, Protocols, and Services

14: Wireless Device Control

15: Data Loss Prevention

16: Secure Network Engineering

17: Penetration Tests and Red Team Exercises

18: Incident Response Capability

19: Data Recovery Capability

20: Security Skills Assessment and Appropriate Training to Fill Gaps

http://www.sans.org/critical-security-controls/

http://www.sans.org/critical-security-controls/

Top 35 Mitigations

56http://www.asd.gov.au/infosec/top35mitigationstrategies.htm

At least 85% of the targeted cyber intrusions the Australian Signals

Directorate responds to could be prevented by following the Top 4

mitigation strategies : use application whitelisting to help prevent malicious software and other

unapproved programs from running

patch applications such as PDF readers, Microsoft Office, Java, Flash Player

and web browsers

patch operating system vulnerabilities

minimize the number of users with administrative privileges.

Examples of Targeted Cyber Intrusions mitigation strategies :Disable local administrator accounts; Multifactor authentication; Network segmentation and segregation; Application based workstation firewall; Hostbased Intrusion Detection/Prevention System; Centralized and timesynchronized logging; Whitelisted email content filtering; Web domain whitelisting for all domains;

Workstation application security configuration hardening; User education; Computer

configuration management ; Server application security configuration hardening;

Antivirus software with up to date signatures; Enforce a strong passphrase policy;

ETC; Etc; etc..

http://www.asd.gov.au/infosec/top35mitigationstrategies.htm

Top 25 SW development errors

57

[1] Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

[2] Improper Neutralization of Special Elements used in an OS Command ('OS Command

Injection')

[3] Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

[4] Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

[5] Missing Authentication for Critical Function

[6] Missing Authorization

[7] Use of Hard-coded Credentials

[8] Missing Encryption of Sensitive Data

[9] Unrestricted Upload of File with Dangerous Type

[10] Reliance on Untrusted Inputs in a Security Decision

[11]Execution with Unnecessary Privileges

[12]Cross-Site Request Forgery (CSRF)

[13] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

[14] Download of Code Without Integrity Check

[15] Incorrect Authorization

[16] Inclusion of Functionality from Untrusted Control Sphere

[17]Incorrect Permission Assignment for Critical Resource

[18] Use of Potentially Dangerous Function

[19] Use of a Broken or Risky Cryptographic Algorithm

[20]Incorrect Calculation of Buffer Size

[21] Improper Restriction of Excessive Authentication Attempts

[22] URL Redirection to Untrusted Site ('Open Redirect')

[23] Uncontrolled Format String

[24] Integer Overflow or Wraparound

[25] Use of a One-Way Hash without a Salt

http://cwe.mitre.org/top25/

Must BUILD IA IN

This starts with SW.. AND

Applies to Apps / Services

http://cwe.mitre.org/top25/

58

in general, companies must provide a commensurate security level as the government site

they are going to do business with... (see NIST & GSA & FISMA web sites below)

This NIST provides a good overview of the government requirements, which in general

needs to be met by companies connecting to government sites iso services provided... http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf

Information Security rules by GSAhttp://www.gsa.gov/portal/content/104257

FISMA rules / regulations are also representative of items to be assessedhttp://csrc.nist.gov/groups/SMA/fisma/index.html

VA has a contract clause that's fairly standardhttp://www.iprm.oit.va.gov/docs/Appendix_C.pdf

The education department has a good overview of requirementshttp://www2.ed.gov/fund/contract/about/bsp.html

New LAWs - Government Contractors Subject to Cybersecurity Regulations More are on the Wayhttp://www.scribd.com/doc/89226369/Government-Contractors-Now-Subject-to-Cybersecurity-Regulations-%E2%80%93-

And-More-are-on-the-Way

Small business security overview (and detailed brief on the major security product details too)http://www.sciap.org/blog1/wp-content/uploads/Small-Business-Security-ADT-Cluster-v4_Mike_Davis_July_26_2011.pdf

What small businesses need to know about cyber

security before they can offer services to the government

http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdfhttp://www.gsa.gov/portal/content/104257http://csrc.nist.gov/groups/SMA/fisma/index.htmlhttp://www.iprm.oit.va.gov/docs/Appendix_C.pdfhttp://www2.ed.gov/fund/contract/about/bsp.htmlhttp://www.scribd.com/doc/89226369/Government-Contractors-Now-Subject-to-Cybersecurity-Regulations-%E2%80%93-And-More-are-on-the-Wayhttp://www.sciap.org/blog1/wp-content/uploads/Small-Business-Security-ADT-Cluster-v4_Mike_Davis_July_26_2011.pdf

59

How to find / bid on government contracts

MUST have DUNS number or Cage Code (and capability statement/documents)

Central source for SBAhttp://www.sba.gov/content/federal-contracting-resources-small-businesses

+++ System for Award Management

(SAM register here first / asap.. it drives many other processes)https://www.sam.gov/index.html

FedBizOppshttps://www.fbo.gov/

SPAWAR small business opportunitieshttp://www.public.navy.mil/spawar/Documents/Small_Business/SPAWAR_3_year_Acquisition_Forecast_22_May_2013.pdf

Federal Procurement Data Systemhttps://www.fpds.gov/fpdsng_cms/

Dynamic Small Business Searchhttp://dsbs.sba.gov/dsbs/search/dsp_dsbs.cfm

Interested in the SBIR / STTR programs, See information in the overview offered belowhttp://www.navysbir.com/overview.htm

You REALLY need an effective business plan to show clients and investors the big picture.http://100startup.com/resources/business-plan.pdf

http://www.sba.gov/content/federal-contracting-resources-small-businesseshttps://www.sam.gov/index.htmlhttps://www.fbo.gov/http://www.public.navy.mil/spawar/Documents/Small_Business/SPAWAR_3_year_Acquisition_Forecast_22_May_2013.pdfhttps://www.fpds.gov/fpdsng_cms/http://dsbs.sba.gov/dsbs/search/dsp_dsbs.cfmhttp://www.navysbir.com/overview.htmhttp://100startup.com/resources/business-plan.pdf

60

Computer Network Attack / Exploit

Provide near-real time OPSEC to IA Effectively leverage the black side Intel into unclass protections

Establish a War Reserve Mode? We have WARM elsewhere, whats that in cyber?

Fusion of diverse data, into KM we can use All sensors, CNA/E effets, OpSec, Intel, etc = improved IA/CND

Cant easily / rapidly tell WHO the bad actors are.. Offensive activities best done by NCA / Cybercom, COCOMs

Cyber War / ROE undefined, asymmetric nature = lose-lose

Offensive cyber methods / tools / activities

best used covertly by a skilled few

61

Key cyber capabilities to develop(think secure comms / messaging - here proposed wrt top tier ETAs)

Distributed Trust --- Enable secure distributed interactions by establishing appropriate levels of trust among remote devices, systems, or users . supports:

Models and Protocols for Trust Establishment; Infrastructure; Dynamic Evaluation; Out-of-

Band and Physical Trust Maintenance

Resilient Architectures --- Enable functional capabilities to continue despite successful disruption or compromise by the adversary . supports: Morphing Engines

Generating Unpredictability; Secured Network Storage; System Decomposition for Mission-

Tailored Tools; Response and Cyber Maneuver

Visualization and Decision Support --- Enable human decision-makers to quickly understand the security and operational implications of the current situation and to

rapidly ascertain the best course of action to pursue . supports: Real-Time Analysis

Engines ; Common Operational Framework; Holistic Cognitive Environment

Response and Cyber Maneuver --- Enable defenders to perform shaping operations that minimize the attack space and frustrate adversary planning and to take

action during attacks to block, disrupt, remove, or counter adversary actions.

supports: Polymorphic Technologies; Cyber Obfuscation; Network Agility

Net-centric Cyber Security = SoS and I&I aspects

62

OTHER cyber capabilities (2nd tier)

Detection and Autonomic ResponseTechnologies that analyze data collected about the ongoing state of networks, hosts, applications, data, or user

actions, and evaluate whether it represents known or probable malicious activity. Technologies that select

and invoke immediate defensive actuators in real-time in response to a stream of detected events, without the

need for human input.

Complex Attack Pattern Recognition, Trustworthy, Intelligent Agents, Game Theoretic Methods

Recovery and Reconstitution Technologies that restore system trust, capabilities, and reserves to fully functional and normal levels after

disruption, damage, or depletion due to cyber attack or effects of a defensive response. Technologies that

restore or reconstruct lost or tainted information as closely as possible to its previous undamaged state or to

what is current and accurate.. Technologies that trace functions, results, or decisions that may have been

affected by damaged information and restore or compensate as appropriate.

Bio-inspired self-inoculation , Synchronize repair activities without interrupting ongoing mission

progression or priorities, Asymmetric redundancy using distributed trust as a recovery metric/mechanism.

Component TrustTechnologies and methodologies that establish a basis for determining and quantifying the likely

trustworthiness of acquired hardware or software products that have been constructed outside an

organizations control, by methods such as external and internal physical examination, execution monitors, and

supply chain risk countermeasures.

Hardware/software DNA that vouches for a components authenticity (re: enhanced TPM),

White-listing of trusted hardware/software components, Root of trust, etc

Integration and Interoperability aspects are HUGE

Trust (U)

(U) Objective: Develop measures of trustworthiness for components within the cyber infrastructure and to large systems where components and participants having varying degrees of trustworthiness


November 2012 Page-63

* Scalable reverse engineering and analysis * Develop tools that validate and verify hardware chip, firmware and software functionality

* Develop tools for interoperable and scalable forensic analysis

* Trust establishment, propagation, and maintenance techniques * Develop techniques to establish trust anchors within components

* Develop algorithms to describe, establish, propagate, and revoke trust with distributed reputation

management

* Develop algorithms and mechanisms to manage dynamic and transitive trust relations with

coalition partners

* Measurement of trustworthiness* Develop quantitative techniques to enable context-aware dynamic trust scoring of components

and systems

* Develop composite measures of trust

* Development of trustworthy architectures and trust composition tools* Develop trust architectures that can self attest to their required trust properties

* Create techniques to build trustworthy systems from untrustworthy components

Resilient Infrastructures (U)

(U) Objective: Develop integrated architectures that are optimized for the ability to absorb shock and the speed of recovery to a known secure state



* Resiliency for operational systems* Develop efficiency-, risk-, and cost-based approaches to manage real-time tradeoffs among

redundancy, randomization, diversity, and other resiliency mechanisms

* Mechanisms to compose resilient systems from brittle components* Develop architectural foundations to compose and manage services in massive environments

* Develop resiliency-aware abstraction layers that provide dynamic, threat-based component

integration

* Integration of sensing, detection, response, and recovery mechanisms* Develop automated response tools using information correlated across the infrastructure

* Develop algorithms for management and outcome analysis of resiliency properties of systems

* Secure modularization and virtualization of nodes and networks * Enable heterogeneity at the hardware, hypervisor, operating system, and application layers

* Develop robust cloud architectures to resist intrusions of potentially hostile elements

* Develop algorithms for real-time reconstitution based on dynamic feedback of macro-level resilience

and health

* Resiliency-specific modeling and simulation techniques* Enable the measurement and analysis of systems quantifiable resiliency properties

Agile Operations (U)

(U) Objective: Speed the ability to reconfigure, heal, optimize, and protect cyber mechanisms via automated sensing and control processes

* Techniques for autonomous reprogramming, reconfiguration, and control of cyber

components* Develop approaches for autonomous policy-driven reconfiguration using ontologies and control loops

* Machine intelligence and automated reasoning techniques for executing course of

action* Develop time-constrained automated control loops that select and execute actions within a goal-

seeking framework

* Techniques for mapping assets and describing dependencies between mission

elements and cyber infrastructure* Develop sensors, specification languages, and machine learning for near real-time cyber situational

awareness

* Design static and dynamic models and supporting languages that relate cyber and kinetic domains

* Develop near real-time mission analysis tools to support combined cyber/kinetic operations

* Techniques for course-of-action analysis and development* Develop modeling and simulation techniques for assessment of asset criticality and effects

* Design game-theoretic approaches to predict adversarial behavior

* Develop tools for mission simulation, rehearsal, and execution support

* Cyber effects assessment* Develop probing, detection, correlation, and visualization techniques

Resilient Infrastructures (U)(U) Objective: Develop novel protocols and algorithms to increase the repertoire of resiliency mechanisms available to the architecture



* Code-level software resiliency* Develop novel language features, randomizing compilation techniques, and enhanced execution

environments

* Network overlays and virtualization* Expedite resilient protocol development using overlays from specification to deployment

* Develop network reconstitution techniques based on modular design and component virtualization

* Network management algorithms* Develop autonomous network management algorithms for scalable reconfiguration and self-healing

modeled after biological systems

* Mobile computing security* Develop protection models, mechanisms, and algorithms for mobile devices to ensure higher levels

of trust

* Distributed systems architectures and service application polymorphism* Develop methods for dynamic provisioning, reallocation, reconfiguration, and relocation of cyber

assets at both the system and application layers

* Network composition based on graph theory* Develop network technologies at the architectural level to enable near real-time reconfiguration

* Develop algorithms to enable sequenced network reconfiguration actions orchestrated across time

and space

* Distributed collaboration and social network theory* Develop collaborative tools to support near real-time distributed maneuver

* Realize social networks that incorporate coalition partners offensive and defensive capabilities

67

Cyber Problem statement = Poor State of IA & CND (where all IA/CND capabilities must also act as a SoS)

Its all about TRUST need a common enterprise trust model Some HAP/TSM is needed, but where to put which EAL devices?

Need a common top-down, enforced IA/Cyber capable architecture

Need an alternative to commercial ISP leverage existing dark fiber

Effective / secure enterprise access control is foundational: IA&A implementation focus = authorization based access control

complemented by ABAC, RBAC, even RAdAC as an end-state

If you dont control entry and exit, you control nothing; this applies to people, NPEs, software and data - foundation for mission assurance (MA)!

Proactive/Dynamic Defensive I&W Detect unusual patterns, characteristics, attributes, irregular requests.

Provide auto alerts; divert questionable actions; "wraps" issues/problems

This is the catch all capability, as we cant protect everything at 99%

Institutionalize Dynamic Cyber Enterprise Management

68

Reasons the Cyber Problem Exists(re: one perspective - SOA / automation security issues)

1. No top down common implementation IA guidance, with any useable level of details

2. SOA (and overall OA in general) approaches add governance and communications complexities within DOD / Federal spaces

3. Numerous SOA methods, approaches, schemas everyone has one we need just ONE

4. No unified set of security requirements exist that are traceable to a higher level, common IA core set (like IATF, GIG ICD, etc)

5. No Federal consensus on key security issues and barriers and gaps

6. Unclear (too many) authoritative sources, references, standards.

69

Reasons the Cyber Problem Exists (cont)(as one perspective - SOA / automation security issues)

7. IA covers virtually everything, so what should SOA prioritize?

8. IAW SysEngr principles, SOA must follow an EA & standards

9. No enterprise trust model, supporting distributed transitive trust or an effective model for secure enterprise cross domain access control

10. Few T&E / V&V thus C&A plans exist (this MUST be our DOD end-state)

11. Institutional blinders to the fact that network/internet computer cannot secure data; no electronic means to assess data leakage and data aggregation.

12. Policy immaturity, pre-dates SOA; hence the electronic security foundation is missing. Technology still forges ahead - tools are generations behind and built for other threats.

70

Common Architectural Flaws, exacerbate Cyber Security

Fragile Chain of Services

Large Real-time Overhead

Central Administration Mis-alignment with Practical Administrative boundaries

Lack of Support for multiple:

Access Control Models

No Concept of Risk or Domain Asymmetry or Support for Multiple Mission Vectors

Rigid Inheritance Model

Use of Hard-coded Rigid Monolithic Access Control Frameworks and Products

No Enterprise Concept of Domain Delegation or RAdAC

Lack of Appropriate Layering and Abstraction

71

Common Architectural Flaws (cont) Inability to Support Multiple and Legacy Models

Schema and Ontology often Incompatible Attributes do not Align Methods and Protocols Differ Technology and the Embedded Dependencies Differ Use of Hard-coded Rigid Monolithic Access Control

Frameworks and Products

Difficult or Inflexible Integration Paths Lack of Trustworthiness No Support for Unanticipated Users Transformations Limited Lack of Flexible Rapid Application Development and Modeling

Tools with IA Built in to the Framework Lack of Fidelity or Even Use of Modeling to Test Performance

at Scale

72

Cyber - Begin with the end in mindIts clearly important to understand the desired end result, instantiation of your

vision - having the image of the vision as your frame of reference to evaluate

everything else.

It is also impossible to integrate capability without having a plan and the

correct systems in place to run the business.

Vision execution has to do with the "purposes" of capabilities, that have to do

with visualization and complete planning! Bundled within personal and

business: (a) leadership (what), (b) management (how), and (c) productivity

(doing it well)

You can take the concept further by questioning the vision itself!

Challenge assumptions, barriers, limitations, and obstacles(the five whys?)

Always apply critical thinking (reflective skepticism) to the vision, as that

brings New Ideas Fosters Teamwork Promotes Options Uncovers

Spinoffs simulates a Clear Head and fresh Perspectives emerge.

If you dont know where you are headed,

Seemingly blind alleys wont cut it either / waste $$$

73

Cyber - Drive out complexity - KISSComplexity leads to variation in practice, opportunities for data /

operational errors, and increased risk of mission failure.

Reducing complexity is key to improving both risk posture and productivity.

Human engineering and complexity theory teach that WE ALL need to smartly, collaboratively:

- Simplify - Standardize - Automate - Integrate

Reducing complexity is a major competitive factor for ensuring supply chain performance and

exceeding customer expectations.

Given an increasing share of work is outsourced, the challenge of handling complexity has

become all the more demanding.

Companies that do not master complexity risk experiencing supply chain inefficiencies,

resulting in non-competitive working capital structures, lower transparency of cost drivers and

difficulties in achieving service levels.

Address complexity in product, processes and organization.. and DATA

Use existing initiative to simplify both objectives and processes:

Just-In-Time Standardization Strategic Outsourcing. Supply-

chain management Target costing Performance Measures....

Take the "zero-baseline" approach to complexity

74

Cyber - Maximize investments / ROIA strategic approach to maintenance and effectively using key performance indicators,

organizations can better maximize resources, reduce capital and operating costs, and

increase their return on investment (ROI). Its all about managing risk, from a high

performance organization - HPO operating perspective.

The critical elements of successful project value ROI analysis:

Always starting with business goals and challenges versus technology.

ROI analysis should be completed both for the past and the future.

Business goals can not be achieved through technology alone.

Project benefits cannot always be completely or accurately quantified,

intangible elements have value too.

There are many kinds of project costs in evaluations.

Analyzing your entire technology project portfolio.

Monitor critical business success metrics and re-evaluating your project

alignment process.

Four ROI pillars: (1) strong foundation / operating plan, (2) defined enterprise

effectiveness, (3) business enablement and (4) optimization / differentiation.

Cyber ROI is misleading - as its more insurance than investment

75

COTS / buy versus build(ALWAYS try to drive everything to a commodity state!)

MUST balance the business needs, shot-term and long-term goals, key

requirements and available technologies and solutions on the market.

The company and key stakeholders must always consider and analyze all the

options for each project and solution: Speed of implementation for a COTS vs. custom solution

Cost of implementation of a COTS vs. custom build

Functionality, flexibility and scalability in a COTS vs. custom build

Support for COTS VS. custom build

Organizational best practices, current technology and skill sets of employees

Potential for upgrading, modification and replacement of COTS vs. build

Key elements in the process:

1. Properly analyze any COTS systems for suitability the capability requirements

and a technical perspective concurrent engineering applies even more here

2. Beware the COTS sales pitch / trap to fall into is being promised functionality that

isn't in the COTS at present but they will add for you.

3. Check for unit tests in the COTS and also what development practices they use,

be wary if the vendor isn't giving much info about technical aspects. Is the source

code is available and have your programmers assessed it?

Ultimately, If it's a critical business function then do it yourself, no matter what

BUT, with IA/Security/Cyber capabilities only use APLs/VPLs

CNCI

76

Comprehensive National Cybersecurity Initiative (CNCI). This initiative was launched by the second President Bush in

National Security Presidential Directive 54 and Homeland Security Presidential Directive 23 back in January 2008.

there are 12 mutually-reinforcing initiatives that are intended to establish a front line of defense against todays immediate

threats, to defend against the full spectrum of threats, and to strengthen the future cybersecurity environment.

INITIATIVE #1 -- Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet Connections.

This is about consolidating our external access points and creating common security solutions across agencies.

INITIATIVE #2 -- Deploy an intrusion detection system of sensors across the Federal enterprise. This is a passive system

that watches traffic and helps notify us about unauthorized network intrusions. DHS is deploying signature-based sensors as

part of the EINSTEIN-2 (PDF) capability, with notification going to US-CERT.

INITIATIVE #3 -- Pursue deployment of intrusion prevention systems across the Federal enterprise. This takes it up a notch

with EINSTEIN-3 (PDF) and not only detects intrusions, but actively prevents intrusions into federal systems. This will have

serious zero-day and real-time counter-threat capabilities.

INITIATIVE #4 -- Coordinate and redirect research and development (R&D) efforts. This initiative serves to help us get all of

our R&D efforts working together, with a better communications and tasking infrastructure. It's an important part of utilizing

our resources and our smartest people to the best of their abilities.

INITIATIVE #5 -- Connect current cyber ops centers to enhance situational awareness. This is our key threat-data sharing

initiative.

The National Cybersecurity Center (NCSC) within Homeland Security is helping secure U.S. Government networks and

systems under this initiative by coordinating and integrating information from the various centers to provide cross-domain

situational awareness, analysis, and reporting on the status of our networks. As a side-effect, it's also designed to help our

various agencies play better with each other.

INITIATIVE #6 -- Develop and implement a government-wide cyber counterintelligence (CI) plan. We're now coordinating

activities across all Federal Agencies so we can detect, deter, and mitigate foreign-sponsored cyber intelligence threats to

government and private-sector IT.

CNCI

77

INITIATIVE #7 -- Increase the security of our classified networks. Our classified networks contain our most valuable and most

secret defense and warfighting information. We're continuing to work hard in securing these networks against the changing

threat model.

INITIATIVE #8 -- Expand cyber education. This is where the Comprehensive National Cybersecurity Initiative begins to break

down, because it's where all modern cyberdefense breaks down -- the people. We're training more and more cyberdefense

experts, but we also need to expand that education up and down government, to corporations, and to individuals.

We can have the very best-trained cyberdefense expert in a corporation, say, and it'll all break down if the CEO won't allocate

the time or funds to conduct that defense. It's all about making everyone know just how real these threats are.

INITIATIVE #9 -- Define and develop enduring "leap-ahead" technology, strategies, and programs. We'll talk more about future

directions later, but the idea of leap-ahead is to get 5 to 10 years ahead of the bad guys and explore out-of-the-box thinking in

building a better cyberdefense. This is good stuff, and it's the first CNCI initiative that, essentially, opens the door to concepts

like Stuxnet (or what The Times claimed the White House called "Olympic Games").